Force clients in DC-less sites to get sensible Sysvol and Netlogon

Discussion in 'Active Directory' started by Nicky Burn, Nov 13, 2007.

  1. Nicky Burn

    Nicky Burn Guest

    Background:
    We are consolidating 70 small AD sites into 20 larger ones. During
    implementation, we will have a temporary stage where there are a number of
    sites with no DCs, and will be relying on automatic site coverage from the
    nearest DCs. Domain controllers are a mix of Windows 2003 R2 SP2 64-bit and
    Windows 2000 SP4.

    Specific question:
    I've done some testing to ensure that site coverage comes from the
    best-connected domain controller based on underlying site links. This all
    seems fine.
    I want to ensure that netlogon and syvol referrals always come from the DC
    that authenticated the client, so I configured the DCs as follows:
    Windows 2000 - applied hotfix KB823362, created registry value
    HKLM\System\CurrentControlSet\Services\DFSDriver\DfsEnableSmartClient=1
    Windows 2003 - as per KB905846, created registry value
    HKLM\System\CurrentControlSet\Services\DFS\Parameters\SiteCostedReferrals=1.

    This also seems to work - using dfsutil /pktinfo shows the clients are
    consistently getting referrals as expected.

    However, I've also seen a different hotfix and registry change for the same
    issue in KB831201 - so which is the correct method? Or are both sets of
    changes required to make sure clients get the right referrals?

    Thanks in advance for any help.
     
    Nicky Burn, Nov 13, 2007
    #1
    1. Advertisements

  2. Although I have not run into this particular scenario, I would opt for
    KB831201. The KB831201 article specifically is in line with your issue
    whereas KB823362 deals with a similar issue but was initially set up due to
    errors in the SMB referral service.
     
    Paul Bergson [MVP-DS], Nov 13, 2007
    #2
    1. Advertisements

  3. Nicky Burn

    Nicky Burn Guest

    Paul, thanks very much for the quick response. I'll repeat tests with the
    KB831201 solution and go with that.

    Nicky
     
    Nicky Burn, Nov 13, 2007
    #3
  4. putting the authenticating DC at the top of the list depends on your
    scenario....

    assuming you ALSO implemented: http://support.microsoft.com/?kbid=306602 for
    datacenters as in only those register the domain-wide records in DNS and
    spokes register only site-wide records

    if you have just ONE datacenter and the spokes are connected to the
    datacenter --> implement only the KB for correcting DFS referral ordering.
    putting the auth DC on top may not give you additional benefit. it will
    already be serviced by a DC in the datacenter site

    if you have MULTIPLE datacenters and the spokes are connected to one or
    more datacenters --> implement only the KB for correcting DFS referral
    ordering. putting the auth DC on top may not give you the most optimal DC.
    you might be authenticated by a DC in the datacenter that is further from
    you. by not implementing the "put auth DC on top KB" DFS referral is most
    optimal

    unless there is a reason for using the same DC for SYSVOL as for auth, I
    would not implement it

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Nov 14, 2007
    #4
  5. Jorge,
    You make a really good point on http://support.microsoft.com/?kbid=306602, I
    wish I had pointed this out. It is crucial to this scenario.

    I'm unclear as to why you would want to be provided a random sysvol as
    opposed to the authenticated one. How would the sysvol selection be any
    different than the authenticating dc as far as determining the closest dc to
    the client.



    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Nov 14, 2007
    #5
  6. Nicky Burn

    Nicky Burn Guest

    Jorge, thanks for your post (and thanks for your blog, which is where most of
    my information on this stuff came from in the first place!)

    We will have a mix of hub and spoke sites. Hub sites are well connected to
    an MPLS LAN. Spoke sites are poorly connected. Spoke sites will be
    configured to register only site-wide DNS records as in the KB306602 you
    mention. Hub sites will register generic records and can therefore serve any
    site. Each site will have a single DC.

    In addition, The underlying site topology will be configured so when a spoke
    site's DC is demoted, the lowest-cost connection to that site will be from a
    DC in the closest hub site to that spoke. This hub site will therefore
    register site-specific records in DNS for the DC-less site.

    As far as I can see, this means that in our case the authenticating DC will
    always be the best one to provide Sysvol. HOWEVER, I've just found out from
    product support that KB831201 doesn't exist for x64 systems, so I can't use
    it anyway! So it's back to plan A from my original post.

    Thanks again for the help,

    Nicky
     
    Nicky Burn, Nov 14, 2007
    #6
  7. when writing my response I was thinking "when a DC in the spoke goes down"
    while you are talking about DC-less sites. But even then....

    remember, that you may gain for DC-less sites, but you may not agin for
    spoke sites that have a DC that is down (especially when having multiple
    HUBs). If a spoke site is connected to multiple hubs that have registered
    the domain-wide RRs and the spoke site DC is down you will get to a DC in
    ONE of the HUB sites for auth. For SYSVOL you will use the connection to the
    HUB site with the lowest cost (assuming the KB for the DFS referrals has
    been inplemented)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Nov 14, 2007
    #7
  8. no, you have multiple choices...
    using the authenticating DC
    AND
    using the list of DFS referrals based upon site link costs (which I like
    more)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Nov 14, 2007
    #8
  9. Nicky Burn

    Nicky Burn Guest

    Good point - I hadn't really thought yet about the scenario when a spoke DC
    goes down.

    Thanks once again!
     
    Nicky Burn, Nov 14, 2007
    #9
  10. I follow that, but by having the authenticating dc at the top of the list, I
    would think this would be (On most times) the closest. That is where I
    don't understand why you wouldn't want the authenticating DC to be the first
    choice, I'm not advocating the only choice.



    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Nov 14, 2007
    #10
  11. see the other posts about this topic in this newsgroup

    there are situations where that would not give you the most optimal choice

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Nov 15, 2007
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.